I believe there are only two types of validation visible to the user -- basic and extended. Business validation may mean you can put a validation seal on your website, but anyone can fraudulently put up that seal or make up one of their own. Only EV certs give the user a hard to spoof visible confirmation that the site is using an EV cert. "Business validation" seems like it's not worth paying for. Unless you're accepting payment or sensitive personal information, I wouldn't even bother with an EV cert - it doesn't make your site more secure, but gives your users peace of mind.
– JohnnyMar 27 '14 at 22:39

4 Answers
4

They don't make the connection any more secure in terms of the encryption being hard to break, but they do make it more secure in that it is less likely an intruder was able to trick a CA in to issuing a certificate in error.

The level of validation is entirely about earning the trust of your users. Personally, I just do basic validation, but that's just validating to a name or a domain a lot of the time. Knowing that I'm actually talking to the server www.iamevil.com doesn't really help instill confidence. Business validation allows you to have the certificate use the business name and proves that I'm talking to a real organization. Extended validation results in the green bar being presented on most browsers indicating that there is a high degree of trust in the identity of the party they are communicating with.

@Rob - the 3rd option is not just for banks. It is for anyone that wants to give their users the most possible trust that they are who they say they are. If your users are all going to know that your domain is actually your domain, you are probably fine with basic, however if you are going to have any walk-ins to your site, having further proven your identity will be beneficial.
– AJ HendersonMar 27 '14 at 13:37

A certification authority is supposed to verify the identity of whoever request a certificate before issuing (signing) that certificate; a certificate containing the name www.example.com shall be awarded only to an entity who indeed "owns" the domain example.com. An Extended Validation Certificate is a certificate where the CA made that identity verification more thoroughly.

Theoretically, this extra validation makes it harder for attackers to obtain fake certificates for domains that they do not own. In practice this does not really increase security for two reasons:

This extra validation will block attackers only if end users enforce it. Namely, you could buy an EV certificate for your server, but the attacker, supposedly, will only be able to bamboozle the CA into issuing a fake non-EV certificate. So what ? The attacker will run his fake Web site with the fake non-EV certificate. Nothing has changed, unless the end user (the poor guy who is about to see his bank account siphoned out) makes sure that he connects only to an EV-certified bank site, and refuses to type his password if his browser does not show the extra-green thingy. Real users don't do that. At best, most users will abstain if they get an explicit, red, scary warning; but expecting users to react on the simple lack of a green rectangle is too optimistic.

Phishing, as it is done today, does not use fake certificates. Obtaining a fake certificate is too much trouble. 99% of the phishing is about showing a non-SSL site (http://, not https://) to the victim, and hoping that the victim won't notice. It works well. After all, if the phisher can plunder the bank accounts of only, say, the 10% most gullible victims, then... the phisher still gets rich.

Peter Gutmann calls EV certificates an illustration of the PKI-me-harder effect; the main consequence is that commercial CA can charge more for certificates, in the name of better solving a problem that we did not have before.

The end user is the important element here. You will need an EV certificate when (if) end users begin to require the greenish graphical element, and go spend their money elsewhere if they don't see it (and, at that point, it would become non-ridiculous to claim that EV certificates actually increase security). I don't see such things happening any time soon. Unless browser vendors collude with the big commercial CA to make non-EV certificate appear red and scary.

+1 for mentioning the most important part. The end user. In the end, that's the ONLY thing that matters, and in my estimation very few end users know anything about green bars deserving any more trust.
– Steve SetherJun 17 '15 at 15:36

About your last paragraph; we're already seeing Chrome being in-your-face about a SHA1 cert, while not saying anything about a garden variety HTTP page. This is where the bottleneck it.
– Mike OunsworthJun 17 '15 at 15:49

+1 for explaining the flawed logic behind EV certificates. Question: When I've established a man-in-the middle position against non-EV communication and issue a self-signed certificate instead of the expected cert from the real site, the user will get a browser warning that my cert is not trusted. They then can click through this warning. I've found that with an EV certificate, that method of clicking through the warning does not work. Doesn't this add something to the security (preventing users from being stupid?)
– mcgyver5Jun 17 '15 at 16:00

The idea of EV vs non-EV certificate is that the attacker is assumed to be able to obtain a fake non-EV certificate from an existing CA -- and then, there will be no warning to click through. Browsers don't allow users to "click through" warnings about purportedly EV certificates that don't validate cleanly (and that's, in some way, about protected users from themselves), but then the attacker won't present a fake EV certificate, avoiding this issue.
– Tom LeekJun 17 '15 at 16:39

As AJ says it doesn't have any impact on the level of encryption but it is intended to protect the trust model underpinning SSL/TLS.

For most sites using SSL, the overriding consideration is how this is perceived by customers. AFAIK there is no visible difference between the first 2, but EV adds a green thing to your location bar in most browsers. Whether this actually makes a difference to users, I don't know - not suprisingly the CAs claim they do but I've seen little evidence to support this. I remember reading a research paper several years ago where the investigators found that more users thought a site was more secure if it contained a picture of a padlock than if it were served up over HTTPS.

I'd like to think that users are getting more sophisticated - and therefore this is likely to change over time. But you'll need to bit of a bit of research to device if there's a measurable benefit (or run an A/B test)

...but that's true of all certs BV / DV / EV. If you can install a rogue root CA cert into the user's trust store, then any cert will be trusted, regardless of its validation level.
– Mike OunsworthJun 17 '15 at 14:36

@MikeOunsworth EV won't pass with a rogue root certificate. EV CA OIDs are separately hardcoded into the browser and don't use the browser's trust store. The browser application would need to be compromised in order to make it shows a green bar, at which point SSL is no longer the primary concern. Of course, the user has to actively look for a green bar for it to be effective.
– MonstieurJun 18 '15 at 8:54